Cybercrime goes corporate: A trillion-dollar industry undermining global security

The rapid expansion of “Cybercrime-as-a-service”, or we say, the industrialisation of deception. The adversaries are no longer isolated hackers but increasingly sophisticated, business-minded entities, democratising malicious capabilities and allowing even low-skilled individuals to launch devastating attacks.

The CaaS market is a booming economy in the shadows, driving annual revenues into billions. While precise figures are elusive due to its illicit nature, reports suggest it's a substantial and growing market. CaaS contributes significantly, and the broader cybersecurity services market (which includes both legitimate and illicit services) is projected to reach hundreds of billions of dollars in the coming years.  If measured as a country, cybercrime would already be the world's third-largest economy, with projected annual damages reaching USD 10.5 trillion by 2025, as per some cybersecurity ventures. This growth is fueled by the same principles that drive legitimate businesses: specialisation, efficiency, and accessibility.

CaaS platforms function much like dark online marketplaces. They offer pre-made hacking kits, phishing templates, and even access to already compromised computer networks. These services significantly lower the entry barrier for aspiring criminals. For instance, "ransomware-as-a-service" (RaaS) kits enable users to deploy ransomware attacks with minimal technical knowledge, sometimes for as little as USD 40 per month (as per IBM, Hornetsecurity reports). Phishing kits, providing ready-to-use cloned login portals and email templates, can be acquired for USD 50 to 80 per month, with more advanced platforms costing up to USD 250 (as per ID Agent, Kaspersky reports). This commoditisation allows individuals who might lack deep technical expertise to engage in lucrative cybercriminal endeavors.

Fabio Frattuccello, Field CTO of Worldwide at CrowdStrike, succinctly captured this alarming trend: "They're effectively those bad guys, they're running with KPIs, they have return on investment target, they are embracing automation, they're embracing AI, gen AI, agentic AI capabilities, really trying to speed and simplify their operations. The bad news is their business is about breaching customers."

Fabio further added, “This trend has been growing steadily. Threat actors on the dark web are becoming increasingly specialised. Much like in legitimate business ecosystems, specialisation leads to greater efficiency. There are groups, for example, known as access brokers, who focus solely on harvesting credentials. They do not always execute full-scale attacks themselves. Instead, they sell these credentials to other groups who then carry out ransomware, data theft, or other malicious activities. This is especially problematic because possessing valid credentials eliminates the need for attackers to 'break in'; they simply log in. From a defensive standpoint, such access is difficult to detect because the activity may appear legitimate."

AI's role in accelerating attacks

The integration of artificial intelligence (AI) has further amplified CaaS capabilities. AI can craft highly convincing phishing emails with impeccable grammar, generate deepfakes for social engineering, and automate portions of the attack process. This means attacks are not only more frequent but also more sophisticated, often bypassing traditional security measures. AI also helps cybercriminals adapt quickly to new defences and create more human-like interactions to trick victims.

The speed of attacks is also a major concern. CrowdStrike's 2024 Global Threat Report notes that the average "breakout time", the time it takes for an attacker to move from a first compromised computer to another within a network, has dropped to 48 minutes, with some attacks spreading in under one minute. This rapid lateral movement means organisations have minimal time to react once a breach begins.

A Collective Defence Imperative

“Given the rapid proliferation of Cybercrime-as-a-Service, combating its entrenched mechanisms is a challenge that cannot be met by any single organisation. The current climate demands enhanced real-time threat intelligence sharing and stronger cross-sector collaboration. A critical step is to foster active collaboration amongst key stakeholders, such as financial institutions and cryptocurrency monitoring services, to limit vulnerabilities and to trace and disrupt illicit payments on the dark web,” said Prabhu Ram, Vice President (VP) –Industry Research Group (IRG), CyberMedia Research (CMR).

Enterprises must recognise that attackers often hit multiple systems simultaneously—computers, user identities, and cloud environments. This creates significant "noise" if security tools operate in isolation. Relying on many disparate security products makes it difficult to gain a holistic view and understand that seemingly separate incidents are often part of a single, coordinated attack.

This necessitates a shift towards a "best of suite" approach, integrating security solutions into a unified platform. Such a platform centralises information, links related activities, and helps prioritise threats. This allows security teams to respond more effectively to an entire incident, rather than addressing what appear to be multiple, isolated problems.

And, to combat such scenarios, Prabhu Ram recommends harnessing artificial intelligence to enhance security. He stated, “ Enterprises can harness AI-powered behavioural analytics to proactively detect anomalies and flag early indicators of cyberattacks. With AI-driven threat intelligence platforms, organisations gain the ability to rapidly analyse and respond to emerging threats in real time. Advanced AI models can now identify and block even sophisticated phishing and social engineering attempts, including those fueled by adversarial AI. To stay ahead of the curve, it’s essential to regularly update and validate these models while actively engaging in industry-wide collaboration to counter the fast-evolving landscape of Cybercrime-as-a-Service (CaaS)."

Beyond traditional detection and response, organisations must also focus on prediction. Understanding what attackers are likely to do next enables the implementation of defences before an attack occurs. This involves robust threat intelligence, knowing who the attackers are, their motives, and their methods. Combining this external knowledge with an internal view of an organisation's digital assets and vulnerabilities allows for identifying "paths of attack" and strengthening critical defence points.